The use of biometric data by the banks in Panama
In May 2024, thousands of clients of Panama's largest bank woke up to the news that they had to provide their biometric data, specifically a facial biometric validation to access and use the mobile application of their bank. This was based on a lower hierarchy regulation such as Agreement 05 of 2021 of the Superintendency of Banks of Panama (SBP), the regulatory body of the banking activity in the country, and as a justification of an additional security measure for the provision of banking services.
But in Panama, since March 2021, Law 81 of 2019 on Personal Data Protection is in force, which aims to establish the principles, rights, obligations, and procedures that regulate the protection of personal data, considering its interrelation with the private life and other fundamental rights and freedoms of citizens, by natural and legal persons, of public or private law, lucrative or not, that process personal data.
The Panamanian Data Protection Law has a special peculiarity, unlike other data protection regulations in the world, and that is that it is supplementary for some sectors that before the entry into force of the Law, had issued any type of regulation for the protection of personal data and this is how Article 3 exempts from the scope of application of the Law, those treatments regulated by special laws or by regulations that develop it, As stated in article 3, numeral 3, which states that those treatments that are expressly regulated by special laws or by the rules that develop it are exempted from the scope of application of this Law, and one of the regulations that had developed in legal instruments such as agreements and resolutions, issues concerning the security of information in its sector, was the banking sector. Subsequently, through Agreement 1 of the year 2022, the SBP established special guidelines for protecting personal data processed by banking entities, based on the main principles and obligations outlined in Law 81 of 2019.
So, the banking regulations on data protection allow banking entities to process personal data without respecting the basic principles of personal data protection.
If Agreement 1 of 2022 was created based on the main principles and obligations pointed out by Law 81 of 2019 on Personal Data Protection, why the request for the transfer of biometric data, in its moments, was made with a series of considerations that we proceed to point out:
- The banking entity had not modified its privacy policy both in its web and mobile platform, regarding the treatment of biometric data.
- Biometric data are sensitive personal data, so their treatment must comply with a series of requirements, as indicated in Article 13, paragraph 1, which states that the owner of the data must give his explicit consent.
- The consent did not comply with the requirement of prior, informed and unequivocal, and above all the principle of free, since if you do not give your consent it is impossible to access the mobile application, to have access to your banking products, and therefore lacked the principle of information, clearly and concisely, since it was not pointed out to the bank user about what a transfer of their biometric data implied.
- The purpose of the processing, not only the purposes for which the information was requested, but also the appropriate manner in which this processing would be carried out.
The controversy surrounding the transfer of biometric data set a precedent in the country and a group of lawyers even filed a lawsuit of unconstitutionality before the Supreme Court of Justice for breach of a higher hierarchy norm over a lower one such as an Agreement.
However, it is still a common practice of many banking entities in Panama to request sensitive data without complying with the basic requirements for its processing.
Article provided by INPLP member: Lia P. Hernández Pérez (Legal IT Abogados, Panama)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)